VPN user not behind NAT device problem

Have a problem with a Cisco VPN connection....
Using a VPN 3000 and have no issues with user connecting behind a NAT'd device (using either NAT-T or TCP 10000). The moment a user is NOT behind a NAT'd device it still connects, gets dhcp ip assignment & looks to auth, but no traffic passes. Either way IPSEC-UDP or IPSEC-TCP, nothing works other than connecting.

Whatever configs you need, let me know. Otherwise, I'd be grateful if someone had some ideas.

I notice that the user is using version 4.0.5 (D) of the VPN client. The first thing I would suggest is to have him upgrade to the latest 4.8 version of the client. This may fix whatever issue is there and it's fast and easy to try out...

0

shashiajAuthor Commented: 2007-03-29

That was just one instance. I was able to replicate the issue locally, via a comcast circuit and it's already using 4.8. Wish that was the case, but tried that already..... :(

0

shashiajAuthor Commented: 2007-03-29

Another notable, the concentrator is running parallel to the pix. It's not inline.

Try this test...while the VPN client is connected, go to the VPN Concentrator web GUI and go to Monitoring-Sessions and look at the TX Bytes and RX Bytes for that VPN client session. Note the IP address assigned to that client and then ping that IP address. Do the TX Bytes and/or RX Bytes increase?

0

shashiajAuthor Commented: 2007-03-30

Did that as well. No information changes. But, on another note....
I found a workaround for it.
1. created & in/out filter for udp 10000
2. assigned it to the public interface
3. removed the "inherit" for IPSEC/UDP in the client config. But, it's still selected, just not inherited.

Of course, another site that I work with doesn't have to do that, so I opened a TAC case and apparently it got the bees buzzing and the dev team is looking at it. I was able to walk them through the scenario and they were able to replicate the issue. They agreed with my workaround, for what that's worth. So, I guess there's a bug they're looking at.... If I get more on it, which I doubt I'll get from them, I'll add it here.